SM12: Opportunities and Limits of - Uni Koblenz-Landau€¦ · data) • §100j Code of Criminal Procedure (StPO) • Information helpful to identify owner • IMEI (International
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
SM12: Opportunities and Limits of Modern Smartphone Forensics
A. Dhein Institute for Information Systems Research (M. Becker) K15, IuC Forensics, tech investigation Ass.University Campus Koblenz Criminhal Policedepartment Koblenz
• Andreas Dhein• 37 years old• married, 2 Kids• live/work in Koblenz
• Diplom-Informatikerformer degree to MSc
• Employee at the Criminal Police Department of Koblenz• Member of Europeen FREETOOL Project (SQLiteProcessor)• Mac OS X / iPhone Forensics (Zdziarski, Hoog etc)• Geolocationbased Services (iPhoneTrackerLE, AndroidTrackerLE)
• Phd (work in progress) at the University of Koblenz-Landau
1. Introduction• Ubiquitous Mobile Computing• Oppurtunities due to Mobile Forensics• Limitations due to Diversity• different Systems• different Hardware• different Interfaces
2. Seizing mobile devices
3. Acquisition of as much as possible
4. Decoding Flash Images
5. Examination of Source Data
6. Reporting the Results
Disclaimer: The Icons and Logos used belong to their ori ginal ownersThanks to Peter Warnke (Cellebrite Germany) for providi ng lots of them
• Preview before Seizing ???• Possibility for incriminating evidences and direct accusation• Selection reduces evidence, speeds up general processing• Starting Apps alters data on the device
• Download AutomatedTools.zip from iosresearch.org
• Up to iPhone model 1303 (3Gs) iOS<4.x1. $./setup.sh
• Load firmware, patches, ROM-Image etc. from the internet2. $./boot-passcode.sh
• Put iPhone into DFU-Mode** (script will tell you)• Patch Kernel to execute unsigned bootloader
• Put iPhone into Recovery*** or DFU-Mode (script will tell you)• Boot prepared unsigned-ROM and automatically
• Remove passcode permanently
• Starting from iOS_4.x, iOS_5.x (multiplatform)1. $./recover-keys.sh
• bruteforces 4-digit passcode if set• Recovers encryption keys from the device• Decrypts encrypted passwords from the keychain
2. $./recover-raw.sh• ...
• But fortunatly not needed either to dump raw-/ filesystem-images ☺
Bypass Passcode (in iOS_3,4,5) Zdziarski*
** Device Firmware Upgrade – Mode (totally Black Screen), Transfer mode, which can be exploited (injectgreen,injectpois0n)*** Recovery – Mode (iTunes Symbol), Transfer mode, higher level, which can be exploited
* Access to iosresearch.org restricted to members of Law Enforcement agencies
3. Acquisition of as much as possible• Different Types of Storage• Different Types of Acquisition• Logical Backup• Physical NAND Dump• JTAG• Chip-Off• Forensic sound or not ?!
• Content• Last Number Dialed (LDN) up to 10 numbers if at all• Phonebook/Contacts (ADN)• Text Messages (SMS)• Location Information (LOC) from last usage• Service related Information
• Acquisition• Forensic Card Reader 2
• Hierarchical filesystem• Master File (MF)
• Dedicated Files (DF)• Elementary Files (EF)
External: (U)SIM Card
* Electronic Erasable Programmable Read Only Memory
• Every major mobile platform offers the possibiliy to backuppersonal information and/or device data online • Apple iCloud https://www.icloud.com• Android various https://[drive|docs].google.com ...• Microsoft Windows-Live no web access (?)
• How to get the data from the cloud?• Syncing to „fresh“ device when assigning with ID/password• Downloading data directly?
• Apple: Downloading complete backup (EPB, iloot.py)• Android: Google Drive, Google Docs, Mails.... (not directly)• Windows Mobile: contacts, notes and SMS messages (EPB)
• Cons• Limited access to files• No prior fileversions• No deleted files (although deleted entries in DBs)• Trusting the kernel!?
• Pros• Advanced access to filesystem (filesystem backup)• Direct access to flash memory storage (nanddump)• Physical access to flash memory chip (JTAG, Chip off)
• Cons• Expert level forensics > also meaning expensive ☺• Disassembling the device (JTAG)• Destroying the device (Chip-Off)• „Only one chance“ to obtain the data• „Digging in the dirt“-forensic (reverse engineering wear leveling)
• Not being done until now... at least I am not aware of
• RAM Dump should be possible in theory• Gain root privileges, dump memory device• dd if=/dev/mem out=mem.dd (probably will not work)• Problems: drained batteries; reboots during acquisition
• Will contain • Processes (e.g. for Malware analysis)• Passwords, Access tokens (things have to be kept up and running)• Communication artifacts, etc. (journaling file systems)
• Might contain volatile/temporary data• Geolocation data in Android (is no longer found in file space)
• Invented ~1980 by Dr. Fujio Masuoka (Toshiba)• The name “flash” was suggested because the erasing process reminded a
colleague of Dr. Masuoka of a camera flash
• Erasing causes (heat) damages to the Floating Gate isolator• Erase cycles limited to
• 10.000-100.000 (NOR)• up to 2.000.000 (NAND)
• NAND memory chips features• Cheap, small-factored• Fast serial access cycles• Fast read/write access• High storage capacity
• Problems to address when decoding flash memory dumps• Structure: Block-wise storage of pages which contain cells• Wear-leveling: Error management cause of limited cell-lifetime
• Serverless, file-based database system storage• Supported by various mobile core frameworks• Database connection software/driver needed• Sometimes hard to interpret / “join” different tables
• Textfiles• XML
• Dynamic tag-based description files• Common for configuration files• Hard to put into fixed width tables (e.g. XLS)
• PLists• Like XML files, common for Apple devices (type might be binary rather than text)
• CSV• Not very common on devices themselves, but as export-source to be examined, processed
after data extraction from the mobile phone
• Binary files• Mostly proprietary formats, sometimes pure byte-streams• Have to be decoded prior to examination• Sometimes PLists are in binary format to decrease file size
• Different time formats, e.g.• in seconds since 01.01.1970 00:00:00 UTC (Unix timestamp) very popular• in milliseconds since 01.01.1970 00:00:00 UTC• in microseconds since 01.01.1970 00:00:00 UTC (PRTime) e.g. Mozilla Firefox• in milliseconds since 01.01.1601 00:00:00 UTC (Webkit-Time) e.g. Google Chrome• in seconds since 01.01.2001 00:00:00 UTC (CFAbsoluteTime) typical for Apple
• Specific flags e.g.• 0 = no / 1 = yes• odd = out / even = in (e.g. found in iOS sms.db)
• Software specific types e.g.• Mozilla Firefox (-> visit-types, reference)
• Different formatting stuff, e.g.• Line breaks (-> problem when exporting to/from CSV-textfiles)• Html tags (-> unpleasantly to read)
• Present data e.g. on a Terminal Server or burned on optical-media in a (stand-alone) dedicated application
• Investigator can refine data • Focus on specific artifacts (e.g. chats, log-files, e-Mails, etc.)• Focus on specific media (pictures, videos, audio-memos)• Search with key-words (produce hits)• Filter with key-words (reduce data output)
• But: German law is demanding for paper evidence• So: print a report / burn report on CD
• Problems• Exported Data to large to fit on CD/DVD… • Potential Malware within police network (concerning viewer)
• Warnke12: Trends in der Forensik von Mobiltelefonen. Peter Warnke, Cellebrite GmbH, http://www.anwendertag-forensik.de/content/dam/anwendertag-forensik/de/documents/2012/Vortrag_Warnke.pdf [18.09.2012]
• Punja08: Mobile Device Analysis. Shafik G. Punja & Richard P. Mislan, http://www.ssddfj.org/papers/SSDDFJ_V2_1_Punja_Mislan.pdf [1.6.2008]
• FTL09: A survey of Flash Translation Layer. Tae-Sun Chung et al., http://idke.ruc.edu.cn/people/dazhou/Papers/AsurveyFlash-JSA.pdf, [17.04.2009]
• Swauger12: Chip-Off Forensics. Jim Swauger, http://www.binaryintel.com/wp-content/uploads/2012/05/Chip-Off_Forensics_Article.pdf, [02.2011]
• Schatz12: Android Forensics Deep Dive. Dr. Bradly Schatz, http://www.schatzforensic.com.au/presentations [2012]
• CENSE12: Introduction to Flash Memory. Roberto Bez et al. paper from CENSE, http://www.cense.iisc.ernet.in/academics/Binder-Nonvolatile1.pdf [2012]
• SIMSON11: Android Forensics. Simson L. Garfinkel. http://simson.net/ref/2011/2011-07-12%20Android%20Forensics.pdf [12.07.2011]
• Oxygen11: Android Forensics Study of Password and Pattern Lock Protection. Oleg Fedorov, http://articles.forensicfocus.com/2011/11/18/android-forensics-study-of-password-and-pattern-lock-protection, [18.11.2011]
• Zdziarski13: iOS Forensic Investigative Methods. Jonathan Zdziarski, http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf, [13.05.2013]
• Name at least • 3 different types of mobile evidence data• 5 problems / limitations to mobile forensics• 3 possibilities for preventing remote accessing a mobile device
• Describe the different• types of device locks and how to handle them• types of memory and which information ca be retrieved from them• aquisition methods and when they have to be used• physical acquisition and how they are accomplished
• Explain the difficulties• about wear-leveling when dealing with flash memory• when retrieving inhomogenous data-sources / -formats• between the technical- and investigation point-of-view regarding mobile
• Benenne mindestens • 3 unterschiedliche Typen mobiler Beweismittel / -Daten• 5 Probleme / Einschränkungen der Forensik an mobilen Endgeräten• 3 Möglichkeiten, einen Fernzugriff auf ein mobiles Endgerät zu unterbinden
• Beschreibe die unterschiedlichen • Gerätesperrtypen und wie sie zu behandeln sind• Speichertypen und welche Daten zu extrahieren sein können• Datensicherungsmöglichkeiten und wann welche anzuwenden ist• Möglichkeiten der physischen Datensicherung und wie sie durchzuführen
sind
• Erkläre die Schwierigkeiten• beim Wear-Leveling im Umgang mit Flashspeichern• beim extrahieren und aufbereiten inhomogener Datenquellen / -formaten• zwischen technischer- und ermittelnder Sicht bzgl. der mobilen Forensik